Secure communication based on noisy input dataPhysically unclonable functions
Stephan Sigg
June 28, 2011
Physical random functions Controlled Physical random functions CPUF API Conclusion
Overview and Structure
05.04.2011 Organisational
15.04.2011 Introduction
19.04.2011 Classification methods (Basic recognition, Bayesian, Non-parametric)
26.04.2011 Classification methods (Linear discriminant, Neural networks)
03.05.2011 Classification methods (Sequential, Stochastic)
10.05.2011 Feature extraction from audio data
17.05.2011 Feature extraction from the RF channel
24.05.2011 Fuzzy Commitment
31.05.2011 Fuzzy Extractors
07.06.2011 Error correcting codes
21.06.2011 Entropy
28.06.2011 Physically unclonable functions
Stephan Sigg | Secure communication based on noisy input data | 2
Physical random functions Controlled Physical random functions CPUF API Conclusion
Outline
Physical random functions
Controlled Physical random functions
CPUF API
Conclusion
Stephan Sigg | Secure communication based on noisy input data | 3
Physical random functions Controlled Physical random functions CPUF API Conclusion
Physical random functions
Physical random functions / Physically unclonable functions:Random functions that can only be evaluated with the help of aphysical system
DefinitionA PUF is a random function that can only be evaluated with the help ofa specific physical system. The inputs to a physical random function arechallenges and the outputs are responses.
Stephan Sigg | Secure communication based on noisy input data | 4
Physical random functions Controlled Physical random functions CPUF API Conclusion
Physical random functions
Digital PUFs Simplest kind of PUF. Digital key K is embedded in atamper-proof package along with some logic thatcomputes
Response = RF (K ,Challenge)
for some random function RF
Stephan Sigg | Secure communication based on noisy input data | 5
Physical random functions Controlled Physical random functions CPUF API Conclusion
Physical random functions
Optical PUFs Made of transparent optical medium containing bubbles.Shining a laser beam through the medium producesspeckle pattern (response) that depends on exactposition/direction of incoming beam.
Stephan Sigg | Secure communication based on noisy input data | 6
Physical random functions Controlled Physical random functions CPUF API Conclusion
Physical random functions
Silicon PUFs Challenge is an input to a circuit that reconfigures thepath that signals follow through the circuit. Response isrelated to the time it takes for signals to propagatethrough a complex circuit.
Stephan Sigg | Secure communication based on noisy input data | 7
Physical random functions Controlled Physical random functions CPUF API Conclusion
Physical random functions
Security of PUFs relies on difficulty of extracting all necessaryparameters from a complex physical system
Attacker trying to extract all physical parameters might modify thePUF in the process
This makes PUFs tamper resistant to some extend
Stephan Sigg | Secure communication based on noisy input data | 8
Physical random functions Controlled Physical random functions CPUF API Conclusion
Physical random functions
PUF implementations build on random manufacturing variations(bubble position or exact wire delays):Exact behaviour is a mystery even for the manufacturer
Not feasible to create two identical copies of a PUF
A difficulty of optical and silicon PUFs is that their output is noisy
Error correction that does not compromise the security is required1
1G.E. Suh, C.W. O’Donnell, I. Sachdev, S. Devadas, Design and implementation of the AEGIS single-chip secure
processor using physical random functions, Proceedings of the 32nd Annual International Symposium of computerArchitecture, 2005
Stephan Sigg | Secure communication based on noisy input data | 9
Physical random functions Controlled Physical random functions CPUF API Conclusion
Physical random functions
Standard application: Key-card2
Lock stores a database of challenge response pairs (CRPs) for PUF
When the bearer of the PUF wants to open the lock, it selects achallenges it knows and asks the PUF for the corresponding response
Each CRP can be used only once : Card will eventually run out of PUFs
2R. Pappu, Physical One-Way Functions, PhD thesis, MIT, 2001
Stephan Sigg | Secure communication based on noisy input data | 10
Physical random functions Controlled Physical random functions CPUF API Conclusion
Outline
Physical random functions
Controlled Physical random functions
CPUF API
Conclusion
Stephan Sigg | Secure communication based on noisy input data | 11
Physical random functions Controlled Physical random functions CPUF API Conclusion
Controlled Physical random functions
DefinitionControlled physical random function (CPUF):PUF that can only be accessed through specific API
Main problem with uncontrolled PUFs: Anybody can query the PUF forthe response to any challenge
In order to engage in cryptography with a PUF device, a user has toexploit the fact that only he and the device know the response to aspecific challenge.
Stephan Sigg | Secure communication based on noisy input data | 12
Physical random functions Controlled Physical random functions CPUF API Conclusion
Controlled Physical random functions
Third party could try to overhear challenge, obtain response from PUFand spoof the device
Problem: Adversary can freely query the PUF
By using CPUFs, Access to PUF restricted by control algorithm thatprevents this attack
Embedding control logic for PUF in physical system of PUF makes itdifficult to conduct invasive attacks on the control logic
Stephan Sigg | Secure communication based on noisy input data | 13
Physical random functions Controlled Physical random functions CPUF API Conclusion
Controlled Physical random functions
The PUF and its control logic have complementary roles
The PUF protects the control logic from invasive attacks
The control logic protects the PUF from protocol attacks
Stephan Sigg | Secure communication based on noisy input data | 14
Physical random functions Controlled Physical random functions CPUF API Conclusion
Controlled Physical random functions
Applications for CPUFsApplications for CPUFs include applications that require singlesymmetric key on a chip
Smartcards that implement authentication:Current smart-cards: Hidden digital keys can be extracted usingvarious attacks
PUF on the smartcard: Can authenticate chip – Digital key notrequired (Smartcard hardware itself is the secret key)
Key can not be duplicated: Person that temporary looses control ofcard need not fear that an adversary might have cloned the card orthat the security became somehow impaired.
Stephan Sigg | Secure communication based on noisy input data | 15
Physical random functions Controlled Physical random functions CPUF API Conclusion
Outline
Physical random functions
Controlled Physical random functions
CPUF API
Conclusion
Stephan Sigg | Secure communication based on noisy input data | 16
Physical random functions Controlled Physical random functions CPUF API Conclusion
CPUF API
CPUF typically modelled as general-purpose processing element withaccess to a PUF
Man-in-the-Middle Attack:Adversary intercepts communication to device wants Alice to acceptincorrect result as coming from device
Alice would execute the following protocol
Stephan Sigg | Secure communication based on noisy input data | 17
Physical random functions Controlled Physical random functions CPUF API Conclusion
CPUF API
Alice would execute the following protocol
1 Pick one CRP (Char, Response) at random
2 Execute the following function on the PUF:
1: GetAuthenticBroken(Chal){2: my Resp = PUF(Chal);3: // Do some computation, produce result4: return (Result, MAC(Result, Resp));5: }
3 Use the MAC and Response to check that the data is authentic
Stephan Sigg | Secure communication based on noisy input data | 18
Physical random functions Controlled Physical random functions CPUF API Conclusion
CPUF API
Protocol is not secure against Man-in-the-Middle attacks
Attacker could
1 Intercept message send to GetAuthenticBroken and extract Chal
2 Execute on the PUF:
1: StealResponse(Chal){2: return (PUF(Chal));3: }
3 Forward Alice the message MAC(FakeResult, Response)
4 Since the MAC was computed with the correct response, Aliceaccepts FakeResult
Stephan Sigg | Secure communication based on noisy input data | 19
Physical random functions Controlled Physical random functions CPUF API Conclusion
CPUF API
Problem: When Alice releases her challenge, Adversary can ask PUF forcorresponding response and impersonate PUF
Problem persists as long as the PUF freely provides responses
Stephan Sigg | Secure communication based on noisy input data | 20
Physical random functions Controlled Physical random functions CPUF API Conclusion
CPUF API
GetSecretTo solve this problem:PUF shall only be accessed via callGetSecret(Chal)=Hash(PHashReg, PUF(Chal))
PUF reveals combination of response and executed program instead ofresponse
Since the Hash is a one-way function: Response not recovered easily
Stephan Sigg | Secure communication based on noisy input data | 21
Physical random functions Controlled Physical random functions CPUF API Conclusion
CPUF API
GetSecretWe alter the call of Alice accordingly:
1: GetAuthenticBroken(Chal){2: hashblock()({// HB3: // Do some computation, produce result4: });5: my Secret = GetSecret(Chal);6: return (Result, MAC(Result, Secret));7: }
Stephan Sigg | Secure communication based on noisy input data | 22
Physical random functions Controlled Physical random functions CPUF API Conclusion
CPUF API
GetSecretAlice can now compute Secret from Response by computingHash(PHash(HB),Response) to check the MAC
An adversary has no way of obtaining Secret
Stephan Sigg | Secure communication based on noisy input data | 23
Physical random functions Controlled Physical random functions CPUF API Conclusion
CPUF API
GetCRPHowever, the solution presented may be too restrictive for Alice also
With no CRP:No way for Alice to obtain one in the first place:Device never reveals response
Possible solution: Primitive called GetCRP that
1 Picks a random challenge
2 Computes the response
3 Returns the response to the caller
When space of challenges large enough:Unlikely that attacker can compute CRPs identical to Alice’s
Stephan Sigg | Secure communication based on noisy input data | 24
Physical random functions Controlled Physical random functions CPUF API Conclusion
CPUF API
GetResponseProblem: Random number generators often vulnerable to attacks
Therefore: Might prefer alternative that not relies on a RNG that much
Replace GetCRP by GetResponse()=PUF(PHashReg)
Now: Anybody can generate CRP (PHashReg,GetResponse())
But: Due to hash function, nobody can generate specific CRP
Stephan Sigg | Secure communication based on noisy input data | 25
Physical random functions Controlled Physical random functions CPUF API Conclusion
CPUF API
GetResponse
Stephan Sigg | Secure communication based on noisy input data | 26
Physical random functions Controlled Physical random functions CPUF API Conclusion
CPUF API
GetResponseMan-in-the-Middle attack is prevented since each user has his own CRPs
Challenges can be public, but responses are required to be private
When not told the secret and GSH not leaks information, adversary canonly obtain secret by hashing appropriate response
No way for adversary to obtain this response
Therefore:Man-in-the-Middle attacks are prevented since PUF accessed onlythrough GetSecret and GetResponse.
Stephan Sigg | Secure communication based on noisy input data | 27
Physical random functions Controlled Physical random functions CPUF API Conclusion
CPUF API
Challenge response pair managementHow to get the response to the legitimate user?The following sequence is proposed for CRP management
After manufacturing manufacturer gets device-CRP withBootstrap
Manufacturer uses Introduction to provide CRPs to certificationauthorities
Certification authorities provide CRPs to end users
Anybody in possession of a CRP can create new CRPs by Renew
Stephan Sigg | Secure communication based on noisy input data | 28
Physical random functions Controlled Physical random functions CPUF API Conclusion
CPUF API
Bootstrapping
1 Pick a pre-challenge PreChal at random
2 Execute
1: Bootstrap(PreChal){2: hashblock(PreChal)({3: Return GetResponse();4: });5: }
3 The challenge for the CRP is obtained by calculating PHash(HB)
If PreChal is not known, the security relies on the hash function
Stephan Sigg | Secure communication based on noisy input data | 29
Physical random functions Controlled Physical random functions CPUF API Conclusion
CPUF API
Renewal
1 Pick a pre-challenge PreChal at random
2 By using an old challenge OldChal, execute
1: Renew(OldChal, PreChal){2: hashblock(OldChal, PreChal)({3: my NewResponse = GetResponse();4: my Secret = GetSecret(OldChal);5: return Encrypt(NewResponse, Secret);//Key:Secret6: });7: }
3 Compute Hash(PHash(HB), OldResponse) to calculate Secret,check the MAC with it and retrieve NewResponse
Stephan Sigg | Secure communication based on noisy input data | 30
Physical random functions Controlled Physical random functions CPUF API Conclusion
CPUF API
RenewalWhen the response corresponding to OldChal is only known to theuser, the method is secure.
Stephan Sigg | Secure communication based on noisy input data | 31
Physical random functions Controlled Physical random functions CPUF API Conclusion
CPUF API
IntroductionProvide user with CRP
Assumption:Trusted channel between user and certifier
Stephan Sigg | Secure communication based on noisy input data | 32
Physical random functions Controlled Physical random functions CPUF API Conclusion
CPUF API
Introduction
1 Cert. authority picks (OldChal, OldResponse), computesSecret=Hash(PHash(HB), OldResponse) and returns (OldChal, Secret)
2 User picks pre-challenge PreChal at random and executes
1: Introduction(OldChal, PubKey, PreChal){2: hashblock(PubKey, PreChal)({3: my NewResponse = GetResponse();4: my Message = PublicEncrypt(NewResponse, PubKey);5: my Secret’ = GetSecret(OldChal);6: Return (Message, MAC(Message, Secret’));7: });8: }
3 User checks MAC with Secret. (Secret=Secret’ since both are computed asHash(PHash(HB), OldResponse)). User Decrypts Message and computesPHash(HB) to obtain Response and Challenge
Stephan Sigg | Secure communication based on noisy input data | 33
Physical random functions Controlled Physical random functions CPUF API Conclusion
Outline
Physical random functions
Controlled Physical random functions
CPUF API
Conclusion
Stephan Sigg | Secure communication based on noisy input data | 34
Questions?
Stephan [email protected]
Stephan Sigg | Secure communication based on noisy input data | 35
Physical random functions Controlled Physical random functions CPUF API Conclusion
Literature
C.M. Bishop: Pattern recognition and machine learning, Springer, 2007.
P. Tulys, B. Skoric, T. Kevenaar: Security with Noisy Data – On privatebiometrics, secure key storage and anti-counterfeiting, Springer, 2007.
W.W.Peterson, E.J. Weldon, Error-Correcting Codes, MIT press, 1972.
R.O. Duda, P.E. Hart, D.G. Stork: Pattern Classification, Wiley, 2001.
Stephan Sigg | Secure communication based on noisy input data | 36